Mercurial > p > roundup > code
comparison .github/workflows/anchore.yml @ 7148:cc49ac11850f
Pin actions by using hashes removing tags like @v2. or @master
Now that actions are being scanned by dependabot, this is easier to
keep up with.
This also clears multiple security issues flagged by ossf-scorecard.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 16 Feb 2023 20:12:55 -0500 |
| parents | 7f4d20ebae4a |
| children | fcf7e210a0f9 |
comparison
equal
deleted
inserted
replaced
| 7147:7f4d20ebae4a | 7148:cc49ac11850f |
|---|---|
| 34 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | 34 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| 35 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | 35 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
| 36 runs-on: ubuntu-latest | 36 runs-on: ubuntu-latest |
| 37 steps: | 37 steps: |
| 38 - name: Checkout the code | 38 - name: Checkout the code |
| 39 uses: actions/checkout@v3 | 39 uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
| 40 # v3.3.0 | |
| 40 - name: Build the Docker image | 41 - name: Build the Docker image |
| 41 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest | 42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest |
| 42 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled | 43 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled |
| 43 uses: anchore/scan-action@v3 | 44 uses: anchore/scan-action@dafbc97d7259af88b61bd260f2fde565d0668a72 # v3.3.4 |
| 44 id: scan | 45 id: scan |
| 45 with: | 46 with: |
| 46 image: "localbuild/testimage:latest" | 47 image: "localbuild/testimage:latest" |
| 47 fail-build: true | 48 fail-build: true |
| 48 - name: Upload Anchore Scan Report | 49 - name: Upload Anchore Scan Report |
| 49 if: always() | 50 if: always() |
| 50 uses: github/codeql-action/upload-sarif@v2 | 51 uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 |
| 52 # v2.2.4 | |
| 51 with: | 53 with: |
| 52 sarif_file: ${{ steps.scan.outputs.sarif }} | 54 sarif_file: ${{ steps.scan.outputs.sarif }} |
| 53 - name: Inspect action SARIF report | 55 - name: Inspect action SARIF report |
| 54 if: always() | 56 if: always() |
| 55 run: cat ${{ steps.scan.outputs.sarif }} | 57 run: cat ${{ steps.scan.outputs.sarif }} |